Saltar al contenido

Attackers’ new way to bypass Google’s two-factor verification: send an SMS

22 mayo, 2021

The two-factor verification It has become strong in the vast majority of online services to reinforce the security of our private data, but as we always say, there is no perfect security system. In CSO he echoes what Alex MacCaw, co-founder of Clearbit, has recently experienced: an SMS that alone can take advantage of that verification of two factors to be able to enter someone else’s Google accounts.

The idea of ​​this SMS is to try to confuse the unsuspecting user and get him to text you a Google verification code, which would allow you to enter the account and access all the data.

The tactic is this: someone, the attacker, has gotten the password for your Google account. But since you have two-step verification activated, you cannot access your account because the verification code that is generated when entering the password is sent to your mobile, what do you have and not the attacker.

In this situation, the attacker sends you the following message to your mobile:

We recently received a suspicious attempt to identify your account from the IP address XXX.XX.XX.XXX (Location). If you have not tried to log in from that location and want to temporarily block your account, respond to this alert with the six-digit verification code that you will receive in a few moments. If you have authorized that identification attempt, please ignore this warning.

And then try to log into Google with your account and password. Of course, Google sends you a code to your mobile because you have activated two-step verification, so that someone unwary it can be believed that both messages are from Google when in fact only the second is.

If the victim submits the verification code, you are giving the attacker full access from your Google account.


How to identify and avoid this attack?

Easy: you receive a verification code on your mobile to log into Google just when you have just entered your account password in an application or web, so that if you receive it without having done so or you do it right after receiving one of these Suspicious SMS, do not send the verification code under any circumstances.

Another way to understand it: the verification code that Google sends you must be placed where you are trying to log in at the moment and nowhere else. If someone or something asks you, they are trying to log into your account.

Image | barsen
In Genbeta | This is how the background sound in your room could act as two-step identification